Cybereason discovers NotPetya Vaccine

Jun 27 2017

Post by: Cybereason Intelligence Team

Cybereason Principal Security Researcher Amit Serper discovered a work around solution that disables the NotPetya ransomware that wreaked havoc in Europe on Tuesday. To activate the vaccination mechanisms users must locate the C:\Windows\ folder and create a file named perfc, with no extension name. This should kill the application before it begins encrypting files.

When first run, the NotPetya ransomware searches for its own filename in the C:\windows\ folder, and if it is found, will cease operating. Once the original file name was found and verified by two different sources, Amit was able to piece together a kill switch that should work for any instance of the original ransomware infection.